feat(authenticateForVotingEvent): authenticateForVotingEvent API added

The authenticateForVotingEvent allows to authenticate a user who wants to access the various stages
of a voting event which are protected by authentication. It uses the authenticate API already
present and adds checks for roles and the possibility to set a password the first time a users logs
in

Author: EnricoPicci

src/api/authentication-api.ts

@@ -1,11 +1,12 @@
-import { map, tap, mergeMap, last, catchError } from 'rxjs/operators';
+import { map, tap, mergeMap, last, catchError, concatMap, toArray } from 'rxjs/operators';
 import { Collection } from 'mongodb';
 
-import { findObs } from 'observable-mongo';
+import { findObs, updateOneObs } from 'observable-mongo';
 import { ERRORS } from './errors';
 import { logDebug, logError } from '../lib/utils';
-import { validatePasswordAgainstHash$, generateJwt$, verifyJwt } from '../lib/observables';
-import { EmptyError } from 'rxjs';
+import { validatePasswordAgainstHash$, generateJwt$, verifyJwt, getPasswordHash$ } from '../lib/observables';
+import { EmptyError, forkJoin } from 'rxjs';
+import { groupBy } from 'lodash';
 
 export function authenticate(usersColl: Collection<any>, credentials: { user: string; pwd: string }) {
     const _user = { user: credentials.user };
@@ -49,3 +50,54 @@ export function validateRequestAuthentication(headers: any) {
         }
     }
 }
+
+export function authenticateForVotingEvent(
+    usersColl: Collection<any>,
+    params: { user: string; pwd: string; role: string; votingEventId: string },
+) {
+    const _user = { user: params.user };
+    return findObs(usersColl, _user).pipe(
+        toArray(),
+        tap(foundUsers => {
+            if (foundUsers.length === 0) {
+                throw ERRORS.userUnknown;
+            }
+            if (foundUsers.length > 1) {
+                throw new Error(`More than one user with the same user id "${_user}"`);
+            }
+            if (params.role && !foundUsers[0].roles.find(r => r === params.role)) {
+                throw ERRORS.userWithNotTheReuqestedRole;
+            }
+        }),
+        concatMap(([foundUser]) => {
+            return foundUser.pwd
+                ? authenticate(usersColl, params).pipe(map(token => ({ token, pwdInserted: false })))
+                : // if the pwd is not found as hash in the db, it means that this is the first time the user tries to login
+                  // in this case we hash it, store it in the db
+                  getPasswordHash$(params.pwd).pipe(
+                      tap(hash => (foundUser.pwd = hash)),
+                      concatMap(() => updateOneObs({ _id: foundUser._id }, { pwd: foundUser.pwd }, usersColl)),
+                      concatMap(() =>
+                          authenticate(usersColl, params).pipe(
+                              map(token => {
+                                  return { token, pwdInserted: true };
+                              }),
+                          ),
+                      ),
+                  );
+        }),
+    );
+}
+
+export function addUsersWithRole(usersColl: Collection<any>, users: { user: string; role: string }[]) {
+    const usersGroupedByRoles = groupBy(users, 'user');
+    const usersWithRoles = Object.keys(usersGroupedByRoles).map(user => {
+        const roles = usersGroupedByRoles[user].map(item => item.role);
+        return { user, roles };
+    });
+    return forkJoin(usersWithRoles.map(user => updateOneObs({ user: user.user }, user, usersColl, { upsert: true })));
+}
+// export function addUserWithRole(usersColl: Collection<any>, user: { user: string; role: string }) {
+//     const dataToUpdate = { $push: { roles: user.role }, $set: { user: user.user } };
+//     return updateOneObs({ user: user.user }, dataToUpdate, usersColl, { upsert: true });
+// }

src/api/errors.ts

@@ -25,6 +25,7 @@ export const ERRORS = {
     voteAlreadyPresent: { errorCode: 'V-01', mongoErrorCode: 11000, message: `vote already present` } as MongoError,
     pwdInvalid: { errorCode: 'A-01', message: `password not valid` },
     userUnknown: { errorCode: 'A-02', message: `user not known` },
+    userWithNotTheReuqestedRole: { errorCode: 'A-03', message: `user does not have the requesated role` },
     technologyAlreadyPresent: {
         errorCode: 'V-T-01',
         mongoErrorCode: 11000,

src/api/service.ts

@@ -61,7 +61,7 @@ import {
 
 import { executeTwBlipsCollection, findLatestEdition } from './tw-blips-collection-api';
 import { getConfiguration } from './configuration-apis';
-import { authenticate } from './authentication-api';
+import { authenticate, authenticateForVotingEvent } from './authentication-api';
 import { saveLog } from './client-log-apis';
 
 import { defaultTWTechnologies } from '../model/technologies.local-data';
@@ -111,6 +111,7 @@ export function isServiceKnown(service: ServiceNames) {
         service === ServiceNames.closeForRevote ||
         service === ServiceNames.getConfiguration ||
         service === ServiceNames.authenticate ||
+        service === ServiceNames.authenticateForVotingEvent ||
         service === ServiceNames.saveLogInfo
     );
 }
@@ -255,6 +256,8 @@ function executeMongoService(
         returnedObservable = getConfiguration(configurationColl, serviceData);
     } else if (service === ServiceNames.authenticate) {
         returnedObservable = authenticate(usersColl, serviceData);
+    } else if (service === ServiceNames.authenticateForVotingEvent) {
+        returnedObservable = authenticateForVotingEvent(usersColl, serviceData);
     } else if (service === ServiceNames.saveLogInfo) {
         returnedObservable = saveLog(logColl, serviceData, ipAddress);
     } else {

src/mongodb/authentication-api.spec.ts

@@ -1,17 +1,18 @@
 import { expect } from 'chai';
 
-import { switchMap, map, tap, catchError, mergeMap, toArray } from 'rxjs/operators';
+import { switchMap, map, tap, catchError, mergeMap, toArray, concatMap } from 'rxjs/operators';
 
 import { CachedDB, mongodbService } from '../api/service';
 import { config } from '../api/config';
-import { connectObs, dropObs, insertManyObs } from 'observable-mongo';
+import { connectObs, dropObs, insertManyObs, deleteObs } from 'observable-mongo';
 import { ServiceNames } from '../service-names';
 import { ERRORS } from '../api/errors';
-import { of, from } from 'rxjs';
+import { of, from, forkJoin } from 'rxjs';
 import { getPasswordHash$ } from '../lib/observables';
 import { Collection } from 'mongodb';
+import { addUsersWithRole } from '../api/authentication-api';
 
-describe('Authentication operations', () => {
+describe('1.0 - Authentication operations', () => {
     it('loads the users collection and then authenticates one valid user', done => {
         const USERS = [{ user: 'abc', pwd: 'cde' }, { user: '123', pwd: '456' }];
         const validCredentials = USERS[0];
@@ -71,3 +72,137 @@ describe('Authentication operations', () => {
 export function laodUsers(usersColl: Collection<any>, users: any[]) {
     return dropObs(usersColl).pipe(switchMap(() => insertManyObs(users, usersColl)));
 }
+
+describe('1.1 - Voting Event Authentication operations', () => {
+    it('load some users from file with no pwd specified and then authenticate some of them', done => {
+        const VOTING_EVENT_USERS = [
+            { user: 'Mary', role: 'architect' },
+            { user: 'Mary', role: 'admin' },
+            { user: 'John', role: 'architect' },
+        ];
+
+        const cachedDb: CachedDB = { dbName: config.dbname, client: null, db: null };
+
+        let _client;
+        let _userColl;
+        const votingEventName = 'event to test login of users';
+        let votingEventId: string;
+
+        const firstTimePwd = 'I am the password used for the first login';
+        let errorMissingRoleEncountered = false;
+        let errorWrongPwdEncountered = false;
+        let errorUserUnknownEncountered = false;
+
+        connectObs(config.mongoUri)
+            // clean the test data
+            .pipe(
+                tap(client => {
+                    _client = client;
+                    _userColl = client.db(config.dbname).collection(config.usersCollection);
+                }),
+                concatMap(() => forkJoin(VOTING_EVENT_USERS.map(user => deleteObs({ user: user.user }, _userColl)))),
+                concatMap(() => addUsersWithRole(_userColl, VOTING_EVENT_USERS)),
+                concatMap(() =>
+                    mongodbService(cachedDb, ServiceNames.getVotingEvents).pipe(
+                        map(votingEvents => votingEvents.filter(ve => ve.name === votingEventName)),
+                        concatMap(votingEvents => {
+                            const votingEventsDeleteObs = votingEvents.map(ve =>
+                                mongodbService(cachedDb, ServiceNames.cancelVotingEvent, { _id: ve._id, hard: true }),
+                            );
+                            return votingEvents.length > 0 ? forkJoin(votingEventsDeleteObs) : of(null);
+                        }),
+                    ),
+                ),
+                concatMap(() => mongodbService(cachedDb, ServiceNames.createVotingEvent, { name: votingEventName })),
+                tap(id => (votingEventId = id.toHexString())),
+            )
+            // run the real test logic
+            .pipe(
+                // I do the first login - no password yet set
+                concatMap(() => {
+                    const user = VOTING_EVENT_USERS[0].user;
+                    return mongodbService(cachedDb, ServiceNames.authenticateForVotingEvent, {
+                        user,
+                        pwd: firstTimePwd,
+                        votingEventId,
+                    });
+                }),
+                tap(({ token, pwdInserted }) => {
+                    expect(token).to.be.not.undefined;
+                    expect(pwdInserted).to.be.true;
+                }),
+                // I do a second login - the password has been already set and enchripted
+                concatMap(() => {
+                    const user = VOTING_EVENT_USERS[0].user;
+                    return mongodbService(cachedDb, ServiceNames.authenticateForVotingEvent, {
+                        user,
+                        pwd: firstTimePwd,
+                        votingEventId,
+                    });
+                }),
+                tap(({ token, pwdInserted }) => {
+                    expect(token).to.be.not.undefined;
+                    expect(pwdInserted).to.be.false;
+                }),
+                // I do a login requesting a role I do not have
+                concatMap(() => {
+                    const user = VOTING_EVENT_USERS[0].user;
+                    return mongodbService(cachedDb, ServiceNames.authenticateForVotingEvent, {
+                        user,
+                        pwd: firstTimePwd,
+                        role: 'the boss',
+                        votingEventId,
+                    });
+                }),
+                catchError(err => {
+                    errorMissingRoleEncountered = true;
+                    expect(err).to.equal(ERRORS.userWithNotTheReuqestedRole);
+                    return of(null);
+                }),
+                // I do a login with a wrong pwd
+                concatMap(() => {
+                    const user = VOTING_EVENT_USERS[0].user;
+                    return mongodbService(cachedDb, ServiceNames.authenticateForVotingEvent, {
+                        user,
+                        pwd: 'wrong pwd',
+                        votingEventId,
+                    });
+                }),
+                catchError(err => {
+                    errorWrongPwdEncountered = true;
+                    expect(err).to.equal(ERRORS.pwdInvalid);
+                    return of(null);
+                }),
+                // I do a login with a no existing user
+                concatMap(() => {
+                    return mongodbService(cachedDb, ServiceNames.authenticateForVotingEvent, {
+                        user: 'I do not exist',
+                        pwd: 'pwd',
+                        votingEventId,
+                    });
+                }),
+                catchError(err => {
+                    errorUserUnknownEncountered = true;
+                    expect(err).to.equal(ERRORS.userUnknown);
+                    return of(err);
+                }),
+            )
+            .subscribe(
+                () => {},
+                err => {
+                    console.error(err);
+                    cachedDb.client.close();
+                    _client.close();
+                    done(err);
+                },
+                () => {
+                    expect(errorMissingRoleEncountered).to.be.true;
+                    expect(errorWrongPwdEncountered).to.be.true;
+                    expect(errorUserUnknownEncountered).to.be.true;
+                    cachedDb.client.close();
+                    _client.close();
+                    done();
+                },
+            );
+    }).timeout(10000);
+});

src/service-names.ts

@@ -37,5 +37,6 @@ export enum ServiceNames {
     closeForRevote,
     getConfiguration,
     authenticate,
+    authenticateForVotingEvent,
     saveLogInfo,
 }